There are a growing number of Internet users. In addition, there are a growing number of Internet applications that provide an array of services for these users. In such an environment, data security is often a concern. Users continually transmit and receive data over the Internet, and much of this data may be insecure. Unintended recipients may not only have access to the data, but may also obtain information concerning the identity of the sender(s).
The Internet Protocol is an addressing protocol designed to facilitate the routing of traffic in a network. The Internet Protocol is used on many computer networks, including the Internet. It is often desirable to protect information sent with the Internet Protocol using different types of security. Implementing security with the Internet Protocol allows private or sensitive information to be sent over a network with a degree of confidence that the information will not be intercepted, examined, or altered.
Internet Protocol security (IPsec) is a protocol for implementing security for communications on networks using the Internet Protocol through the use of cryptographic key management procedures and protocols. By using IPsec, two endpoints can implement a Virtual Private Network (VPN). Communications between the two endpoints are made secure by IPsec on a packet-by-packet basis. IPsec entities at connection endpoints have access to, and participate in, critical and sensitive operations.
IPsec defines a set of operations for performing authentication and encryption at the packet level by adding protocol headers to each packet. IPsec also implements security associations to identify secure channels between two endpoints for a VPN. A security association is a unidirectional session between the two endpoints. Since a security association is unidirectional, a minimum of two security associations is required for secure, bidirectional communications between the two endpoints when using IPsec in a VPN.
VPN's could be called virtual private links. They provide great point-to-point security, but they do not scale well to support large groups. For example, assume a group of twelve users wishes to create their own private network overlay to provide secure collaboration. These twelve users need a cryptographically isolated network that allows each of the machines to communicate directly with any of the other machines in the group. If the group was using IPsec, they would need to establish (N*(N−1))/2 pairwise associations, where N is equal to twelve. IPsec and the associated IKE key management does not (and was never designed to) provide group management. IPsec also does not function well in an environment having Network Address Translation (NAT) devices.
For the reasons stated above, and for other reasons stated below which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need for the present invention.